[Oisf-users] question about http_uri and file_data
Victor Julien
lists at inliniac.net
Thu Jan 26 16:55:21 UTC 2017
On 26-01-17 17:52, erik clark wrote:
> I have a pcap I am trying to get a signature to fire off of. Here is the
> sig:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"packer";
> content:"menu|2e|js"; http_uri; file_data;
> content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; sid:1; rev:7;)
>
> I can't provide a pcap, but this is a standard dean edwards packer menu
> javascript.
>
> The problem I have is:
>
> the http_uri hit comes from local to remote (this is a get request).
> the file_data hit comes remote to local
>
> Is there any way to get one rule to fire off this? Maybe with flowbits?
Right now only flowbits can solve this.
We're thinking about adding a class of bidirectional rules for this
scenario, but thats for the future.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list